PSIRT Advisories

Monthly PSIRT Advisories

The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.  

For details of how to raise a PSIRT Issue with Fortinet, please see our PSIRT Policy here.

FortiSOAR - Server-side Template Injection in playbook execution
An improper neutralization of special elements used in a template engine vulnerability [CWE-1336] in FortiSOAR management ...
FortiSOAR 7.3.1, 7.3.0
Apr 11, 2023 Severity black-background-circle-icon black-background-circle-icon black-background-circle-icon black-background-circle-icon lightgray-background-circle-icon High IR Number: FG-IR-23-051 CVE-2023-27995
FortiSOAR - Improper Authorization in request headers
An improper access control vulnerability [CWE-284] in FortiSOAR's playbook component may allow an attacker authenticated o...
FortiSOAR 7.3.1, 7.3.0
Mar 07, 2023 Severity black-background-circle-icon black-background-circle-icon black-background-circle-icon black-background-circle-icon lightgray-background-circle-icon High IR Number: FG-IR-23-050 CVE-2023-25605
FortiSOAR - HTML Injection Vulnerabilities
Improper neutralization of input during web page generation [CWE-79] in FortiSOAR may allow an authenticated attacker to i...
FortiSOAR 7.2.0, 7.0.3, 7.0.2, 7.0.1, 7.0.0
Dec 06, 2022 Severity black-background-circle-icon black-background-circle-icon lightgray-background-circle-icon lightgray-background-circle-icon lightgray-background-circle-icon Low IR Number: FG-IR-22-220 CVE-2022-38379
FortiSOAR - PostgreSQL DB access to local users
A missing authentication for critical function [CWE-306] vulnerabilty in FortiSOAR's Postgres database may allow a local a...
FortiSOAR 7.2.2, 7.2.1, 7.2.0, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.4.4, 6.4.3, 6.4.1, 6.4.0
Nov 01, 2022 Severity black-background-circle-icon black-background-circle-icon black-background-circle-icon lightgray-background-circle-icon lightgray-background-circle-icon Medium IR Number: FG-IR-22-216 CVE-2022-42473
FortiSOAR - OS Command Injection in Agent Password Field
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fo...
FortiSOAR 7.2.0, 7.0.2, 7.0.1, 7.0.0, 6.4.4, 6.4.3, 6.4.1
Sep 06, 2022 Severity black-background-circle-icon black-background-circle-icon black-background-circle-icon lightgray-background-circle-icon lightgray-background-circle-icon Medium IR Number: FG-IR-22-156 CVE-2022-29061
FortiSOAR - Path traversal vulnerabilities in the web API
Multiple relative path traversal vulnerabilities [CWE-23] in the web API of FortiSOAR may allow an authenticated attacker ...
FortiSOAR 7.2.0, 7.0.2, 7.0.1, 7.0.0
Sep 06, 2022 Severity black-background-circle-icon black-background-circle-icon black-background-circle-icon lightgray-background-circle-icon lightgray-background-circle-icon Medium IR Number: FG-IR-22-154 CVE-2022-29062
FortiSOAR - Privilege escalation from nginx user to root
An improper privilege management vulnerability [CWE-269] in FortiSOAR may allow a GUI user who has already found a way to ...
FortiSOAR 7.2.0, 7.0.2, 7.0.1, 7.0.0, 6.4.4, 6.4.3, 6.4.1, 6.4.0
Sep 06, 2022 Severity black-background-circle-icon black-background-circle-icon black-background-circle-icon lightgray-background-circle-icon lightgray-background-circle-icon Medium IR Number: FG-IR-22-152 CVE-2022-30298
FortiSOAR - Server-Side Template Injection in Playbook component
An improper neutralization of special elements used in a template engine vulnerability [CWE-1336] in FortiSOAR management ...
FortiSOAR 7.2.0, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.4.4, 6.4.3, 6.4.1, 6.4.0
Sep 06, 2022 Severity black-background-circle-icon black-background-circle-icon black-background-circle-icon lightgray-background-circle-icon lightgray-background-circle-icon Medium IR Number: FG-IR-22-306 CVE-2022-35847
FortiSOAR - Improper access control on gateway API
An improper access control vulnerability [CWE-284] in FortiSOAR may allow an unauthenticated attacker to access gateway AP...
FortiSOAR 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.4.4, 6.4.3, 6.4.1, 6.4.0
May 03, 2022 Severity black-background-circle-icon black-background-circle-icon black-background-circle-icon lightgray-background-circle-icon lightgray-background-circle-icon Medium IR Number: FG-IR-22-041 CVE-2022-23443
CVE-2022-22965 and CVE-2022-22963 vulnerabilities
Two distinct spring project vulnerabilities where released recently with critical CVSS score and classified as zero-Day at...
FortiSOAR 7.0.2, 7.0.1, 7.0.0, 6.4.4, 6.4.3, 6.4.1, 6.4.0
Apr 01, 2022 Severity black-background-circle-icon black-background-circle-icon black-background-circle-icon black-background-circle-icon lightgray-background-circle-icon High IR Number: FG-IR-22-072 CVE-2022-22965 and 2022-22963